Qualys Cloud Platform

Free Services

Microsoft security alert.

April 9, 2013

Advisory overview

Qualys Vulnerability R&D Lab has released new
vulnerability checks in the Qualys Cloud Platform to protect
organizations against
15 vulnerabilities
that were fixed in
9 bulletins
announced today by Microsoft. Customers can immediately audit
their networks for these and other new vulnerabilities by accessing
their Qualys subscription. Visit our blog to see how to prioritize remediation.

This security update resolves a privately reported vulnerability in the Microsoft Antimalware Client by correcting pathnames used by the Microsoft Antimalware Client.

This security update is rated Important for the Microsoft Antimalware Client in supported versions of Windows Defender for Windows 8 and Windows RT.

Consequence

An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:

Workaround:
Use this workaround to block attack vectors for the vulnerability on Windows 8 and Windows RT systems.
Create a backup of the registry keys. Backup copies can be made using a managed deployment script by performing the following command as an administrator:
Regedit.exe /e c:\temp\Windefend_backup.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend
Note When run as an administrator, the above command creates a file named "Windefend_backup.reg" in the c:\temp folder.
Create a text file named Windefend_ImagePath_fix.reg with the following contents:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend]
"ImagePath"=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,\
69,00,6c,00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,\
00,20,00,44,00,65,00,66,00,65,00,6e,00,64,00,65,00,72,00,5c,00,4d,00,73,00,\
4d,00,70,00,45,00,6e,00,67,00,2e,00,65,00,78,00,65,00,22,00,00,00
Save the Windefend_ImagePath_fix.reg file to the c:\temp folder.
Run the registry script file you created in step 2 on the target system by using one of the following methods:
Method #1:
Double-click the Windefend_ImagePath_fix.reg file.
The following confirmation message should be displayed:
The keys and values contained in C:\temp\Windefend_ImagePath_fix.reg have been successfully added to the registry.
Method #2:
Alternatively, perform the following command as an administrator:
Regedit /s c:\temp\Windefend_ImagePath_fix.reg
Warning When using the command line method above, no confirmation message is displayed. You will not be notified as to whether or not the registry keys and values were successfully added to the registry.

Internet Explorer is a graphical web browser developed by Microsoft and included as part of the Microsoft Windows operating systems.

Microsoft Internet Explorer is prone to a remote code execution vulnerability that exists in the way it accesses an object in memory that has been deleted. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

Microsoft has released a security update that addresses the vulnerability by modifying the way that Internet Explorer handles objects in memory.

An attacker who successfully exploited this vulnerability could execute arbitrary code on affected systems with the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operates with administrative user rights.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:

Workaround:
1. Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
2. Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone

The Remote Desktop Control object is a Microsoft ActiveX control used to customize the Remote Desktop Services user experience.

The vulnerability occurs when the Microsoft Remote Desktop ActiveX Control attempts to access an object in memory that has been freed, potentially corrupting memory in a way as that could allow an attacker to execute arbitrary code in the context of the current user.

Microsoft has released a security update that addresses the vulnerability by modifying the way Remote Desktop Client handles objects in memory.

An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:

The Windows kernel is the core of the operating system. The kernel provides system-level services such as device management and memory management, allocates processor time to processes and manages error handling.

The Ntoskrnl.exe file is prone to multiple race conditions that could be leveraged by an attacker to execute code with elevated privileges. These vulnerabilities are caused by improper handling of objects in the system memory.

Microsoft Active Directory Denial Of Service Vulnerability (MS13-032)

Active Directory Services contains an extensible and scalable set of services that enables you to efficiently manage corporate identities, credentials, information protection, and system and application settings.

A denial of service vulnerability exists in implementations of Active Directory that could cause the service to stop responding. The vulnerability occurs when the LDAP service fails to handle a specially crafted query (CVE-2013-1282).

An elevation of privilege vulnerability exists when the Windows CSRSS improperly handles objects in memory. The security update addresses the vulnerability by correcting the way Windows CSRSS handles objects in memory.

An attacker who successfully exploits this vulnerability could run arbitrary code in the context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:

An attacker who successfully exploited this vulnerability could read content that the attacker is not authorized to read or use the victim's identity to take actions on the targeted site or application.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:

The Win32k.sys is a kernel-mode device driver and the kernel part of the Windows subsystem.
Elevation of privilege vulnerabilities exist when the Windows kernel-mode or the NTFS kernel-mode drivers improperly handle objects in memory.
A denial of service vulnerability exists when Windows kernel-mode driver fails to handle a specially crafted font file.

This security update addresses the vulnerabilities by correcting the way the Windows kernel-mode and NTFS kernel-mode drivers handle objects in memory and the way the Windows kernel-mode drivers handle a specially crafted font file.

These new vulnerability checks are included in Qualys
vulnerability signature
2.2.405-3.
Each Qualys account is automatically updated with the latest
vulnerability signatures as they become available. To view the
vulnerability signature version in your account, from the
Qualys Help menu, select the About tab.

Selective Scan Instructions Using Qualys

To perform a selective vulnerability scan, configure a scan profile to use the following options:

Ensure access to TCP ports 135 and 139 are available.

Enable Windows Authentication (specify Authentication Records).

Enable the following Qualys IDs:

121050

100145

90876

110209

90878

90877

90874

90879

90875

If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.

If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.